Michael Kedar

This iteration of this bug hasn't been fixed. There was a previous issue related to this, but that's since been closed. I don't believe anything has changed since that section...

#1111 only covered the Python worker, importer and exporter. Off the top of my head, what needs to be looked at: - Converters - alpine, cve, debian - The API...

The Go logging helper LGTM. Though if we were to add a `LoggerWrapper.Errorf` without a stack trace (that we want to show up on the Error Reporting dashboard) we'd need...

I think this might be caused by an oversight on my end. I'm guessing completely relocking the project resolves the vulnerability without the need to change your direct requirements, and...

Thanks for providing your manifest & lockfile, it's very helpful! First, I will note that GHSA-jf85-cpcp-j695 appears 3 times in the scan output: ``` | https://osv.dev/GHSA-jf85-cpcp-j695 | 9.1 | npm...

Looking a bit into this, there's another awkward edge case with optional prod dependencies & non-optional dev dependencies (`devOptional`) that we might want to consider. > dev, optional, devOptional: If...

@andrewpollock would be the best person to address this, but he's out-of-office until next week.

I think Chainguard might be on a bit of an edge case with our `alias` vs `related` distinction, but I'll try give our rationale: The primary purpose of the `aliases`...

Thanks for doing this! I've merged #3402, so we should be seeing the records populating on https://test.osv.dev soon (and queryable on the https://api.test.osv.dev/v1 API) If all seems good, we can...

Without the `distro` qualifier being properly defined (there's not even an [example of its usage for `apk`](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#apk) 😕) this is hard to properly support. We might be able add some...